On Thu, 2003-01-23 at 05:40, Kristoff Bonne wrote: > Greetings, > > > Jeffrey Stedfast heeft geschreven: > > >>/As I had been asked to set up a new mail-server, I also took the time at > >>looking at a new mail-client; and so that's why I have been 'playing > >>around' with evolution for a couple of days now. > >> > >> > >>One of the things I would like to ask is this: > >> > >>Evolution has the possibity to use TSL (SSL) for both IMAP and SMTP; but > >>I have problems with sendmail mail over a TSL link. > >> > >>When I set up 'TSL/SSL' in the SMTP-configuration module, the TSL seams > >>to fail. (I actually get this: > >> > >>> Received: from freya.belbone.net ([192.168.252.55]) by > >>> ossmail1.sunmail.belbone.net. (8.12.7/8.12.2) with ESMTP id > >>> h0MDXft5008821 > >>> (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO) for > >>> <[EMAIL PROTECTED]>; Wed, 22 Jan 2003 14:33:41 +0100 (CET) > >> > >>(Note the 'verify=NO'). > >> > >> > >>It looks like there seams to a a TSL-problem between evolution (on the > >>mail-client, a mandrake 8.0 linux-box) and sendmail (on the mail-server, > >>a solaris 9). > >>/ > >> > > > > I have no idea what that means, but it's nothing you should worry > > about presumably. > > > Well, for me, it's important there is an option in sendmail which allows > relaying of messages to be linked to whether the connection was TSL > validated or not.
agh! stop calling it TSL, it's TLS - Transport Security Layer. :-) > > > > Management has issued a policy on network-security (in general); and I > want to be able to implement it as much as possible. > So that why I want to FORCE people to use TSL. (One this is for sure, If > you do not force them, they > will not use it. ;-)) > > For IMAP, this is not a problem as the UW imap-server only allows > connections that are TSL validated; so I want to implement the same > thing on SMTP-level. > > > > > >>/One of the posibilities is that the problem could be related to related > >>to the X.509 certificates used by openssl. > >>I have installed the certificates of the server and the CA in the > >>'cert7.db' and 'keys3.db' on the client-side (using 'certutil' from > >>mozilla). > >>But how do I configure or know what key the client will use to set up a > >>SMTP/TSL connection to the server?/ > >> > >> > > Clients do not use certs to verify who it is against the server for > > SSL ciphered mail protocols. The server sends its cert to the client > > so the client can verify the server is who it claims to be. > > Well, sendmail has certificates both when acting as a server or a client. > > IFAIK, TSL allows certification on both sides; so that the server can be yes, TLS does. > sure the client is really who he is. (based on the certificates). > Althou this doesn't really any sence in a HTTP-server (where it is > doubtfull the server will 'know' all the clients), right. > this could be usefull > for mail, like for SMTP-servers. Sendmail actually get two certificates: > one for 'client' sessions and one for 'server' sessions. (These can be > identical but this doesn't have to be the case). mail protocols do not use client-ssl-certs, just like they are not used for HTTP. > > > > Anycase, the question is, that -even if the certificate is only used for > verifying the server- why the test fails. I do not know, nor is it likely to be anything related to Evolution. > The server uses the same certificate for imap (UW imapd) and smtp > (sendmail), imap/ssl between the mail-client and this server works, and > smtp/tsl between that server and the 'gateway' (also running sendmail) > also works. > > Is there any way to get additional debug-info from the SMTP/TSL code in > evolution to find out WHY it fails? it's not failing, I dunno wtf your server is doing, but it is extremely likely that "verify=false" is false because it cannot possibly ever be "true" due to the restriction in the way TLS works for mail protocols. Evolution uses the Mozilla nss libs for SSL/TLS, you'd have to ask them about debug tools. I do not know of any offhand. Jeff -- Jeffrey Stedfast Evolution Hacker - Ximian, Inc. [EMAIL PROTECTED] - www.ximian.com _______________________________________________ evolution maillist - [EMAIL PROTECTED] http://lists.ximian.com/mailman/listinfo/evolution
